In 2016, over 117 million LinkedIn emails and passwords were posted online in a much-publicized data breach. Unfortunately, this cybersecurity compromise was directly and indirectly linked to several other password reuse attacks, magnifying its devastating invalidation of the usual cybersecurity safeguards.
According to the Verizon 2021 Data Breach Investigations Report, credential data was the most common data type targeted by hackers in breaches. 81% of hacking-related breaches involved the theft of usernames and passwords.
Types of password reuse
Before we talk about prevention, let's look at different ways in which password reuse occurs.
Recycling old passwords: Users often recycle old passwords. A security system that allows users to reuse old passwords can put the networks at risk.
Same password on multiple accounts: According to a report from LastPass, business employees usually manage an average of 191 passwords. Since remembering so many passwords is nearly impossible, they resort to using the same credentials for multiple accounts. In this case, even one compromised account can put all the other system accounts at risk.
Using an old password at a new company: Another form of password reuse occurs when employees change companies. Even if your security policy prevents them from reusing their password, your policies no longer control their behaviour once they switch to a different organization. They could very easily reuse their old password through proxies in your company.
Using predictable passwords: Lastly, another typical form of password reuse occurs when employees use predictable passwords for their accounts. In 2020, more than
used the password '123456'. Using such a popular password can backfire during a brute force attack.
6 Methods to prevent password reuse
Given that so many passwords have been compromised in previous data breaches, organizations need to employ password reuse prevention tactics to minimize the risk of a cyberattack. Luckily, there are several steps your organization can take to prevent your employees.
1. Using longer, more complex passwords
This is the most basic rule you can enforce across your organization to prevent password reuse. According to a study by researchers at Indiana University, adopting a 15-character minimum passphrase deterred over 99% of the users from reusing their passwords. Notably, over 40% resorted to reusing weaker passwords.
2. Enforcing a password policy
The IT department of your organization can play a key role in preventing password reuse. They can use built-in security measures or third-party applications to monitor passwords and prohibit reuse. These security solutions can also be used to block commonly used passwords and those that are known to have been leaked.
3. Using a password manager
One way to avoid reusing passwords, even with 191 different accounts, is to use a password manager. Password managers make it easy to store, protect, and use a variety of passwords. Apart from enforcing multi-factor authentication to access the stored passwords, these applications also automatically enter passwords into different accounts. Moreover, they can also auto-generate passwords and change them at regular intervals.
4. Incorporating effective password use into your security awareness programs
A LastPass survey also revealed that even though 91% of users know password reuse is a risk, 61% of these users continue demonstrating this risky behaviour. Incorporating effective password management into employee security awareness programs can play a significant role in preventing this behaviour. Security awareness programs should not only focus on the risks associated with password reuse but also provide employees with easy-to-use tips for creating strong passwords and avoiding common pitfalls.
5. Enabling multi-factor authentication
2FA and MFA protocols make it much harder for attackers to gain unauthorized access to accounts. MFA usually includes a biometric scan or secret codes delivered to your phone via text. This adds another layer of security beyond the usual username and password.
6. Using single sign-on to log into different accounts
One of the key causes of password reuse is having to create and store passwords for a multitude of online accounts and applications. With single sign-on, the same account can be used to log onto different platforms, reducing the need to create different passwords. As a result, users tend to repeat their passwords less often, improving security.
20% of all data breaches in 2021 directly resulted from compromised credentials, and password reuse is one of the leading causes of these breaches. Implementing the aforementioned methods can help your organization prevent this type of attack.
Packetlabs Services: AD Password Audit
Packetlabs also offers a comprehensive AD password audit, which includes a complete review of all company passwords. This review includes:
Overall risk level
Top used passwords
Top used base words
Comparison of passwords against breach databases
Contact us today to learn more about Packetlabs AD Password Audit.
10 January - Blog
Your Guide to Objective-Based Penetration Testing
14 December - Blog
2022 in Review and Our Predictions for 2023: Cyber-Threat Landscape
05 December - Blog
Choosing a Penetration Testing Company: Methodology & Certifications